May 2008 - Posts

State Street Corp., the global money manager based out of Boston, is alerting 45,000 customers and employees that they may be at an increased chance of identity theft.More specifically, they’re legacy customers and employees from Investors Financial Services (IBT), a firm that State Street acquired last year.

IBT had retained the services of a legal support vendor prior to being acquired, and this unnamed vendor lost computer equipment—no word on what type of equipment it may be—in December of last year.The story is receiving a small amount of coverage as of this time.

According to the coverage by bizjournals.com, it took State Street approximately five months to figure out the contents of stolen equipment, since the company had to “translate largely encrypted data into a readable format and gauge the extent of the data theft.”I couldn’t find this detail anywhere else, including State Street’s own site.

Initially, I thought that State Street must have used only file encryption to protect their clients’ and employees’ data, since a full disk encryption solution like AlertBoot wouldn’t have necessitated a time‑consuming effort to decrypt data.However, it’s quite obvious that State Street is working from backups to analyze the contents of the stolen equipment. In essence, there is no way to verify that the stolen equipment had other forms of protection like full disk encryption unless State Street decides to reveal that information.

Is one better than the other? What’s the difference?Well, as an example, AlertBoot full disk encryption ends up encrypting everything on the storage device.So, if full disk encryption is used on a laptop, the entire contents of the hard disk in the laptop—from customer data to your Solitaire program—is encrypted.Without providing the correct username and password, there is no way to access the contents of that laptop.Plus, decrypting the information is instantaneous—the moment you gain access to the computer, your information is decrypted (I’m glossing over the technical details here, obviously).

File encryption, however, means protecting individual files, so one has to mind whether a file is to be encrypted or not (and there is always the worry whether a critical file was encrypted if the computer gets lost or stolen).In many ways, it’s not as convenient as full disk encryption.However, there are pluses to file encryption over disk encryption.For example, you can still use your computer if you don’t remember your username and password for encrypted data—you just don’t have access to certain files, that’s all.Plus, if you forward a file‑encrypted document via e-mail, the data remains protected.This is not so with full disk encryption.If you e-mail a document from your hard drive encrypted computer to a colleague, he will not require the username and password to access that document.Of course, there’s nothing preventing one from using both full disk encryption and file encryption to protect data.

Another hospital in the UK has fallen to a data breach due to the lack of data encryption.The Isle of Wight NHS (National Health Services) has announced that they’re moving rapidly to encrypt their data, and is recommending it to all medical practices, according to the healthcarerepublic.com.I, too, would agree that full disk encryption solutions like AlertBoot are necessary in medical settings where large amounts of data are sent around via courier or other physical means.

The data breach was found when a routine check was carried out on the location of a backup computer tape—and, apparently, no one could find it.The lost tape had information on 38,650 patients.However, only 11,500 patients have been contacted to alert them of the breach (what’s that all about?)

The letter also mentioned that the contents of the tape were password‑protected and can only be read using special software.The former is not really adequate security, and the reasons for arriving to that conclusion are heavily documented.The latter—I’m ambivalent on whether it represents a form of security.On the one hand, it certainly makes it harder for one to access the data, since each software application has its own way of encoding information.This is why you can’t open your Excel file in Microsoft Word, for example.But, on the other hand, it’s a matter of finding the right software to get to the data.

Regardless of my position on the issue, the fact that the affected hospital has decided to encrypt all data perhaps indicates that relying on the obscurity of a file format is not the way to go when the safety of patient information is at stake.Data encryption must have been selected for a reason.

Incidentally, this case is probably representative of recent survey results quoted in The Tech Herald that suggests business owners (and, it seems to me, anyone in the position of leadership) have an “‘air of invincibility’ when it comes to the potential for their company to suffer an intentional or accidental data exposure.”According to that article, natural disasters weighed more heavily in their minds than data breaches.

I’m not sure if I can disagree with such an assessment—there could be a legitimate reason for thinking that way (flooding may be on your mind more often if you live in downtown New Orleans).But, I can tell you this much: natural disasters will happen.Data breaches will happen as well.However, of the two, there’s nothing one can actively do to prevent the former, whereas there are simple solutions like hard drive encryption to prevent the latter.

The importance of full disk encryption solutions for laptops and other digital media has been espoused a myriad of times by numerous security vendors like AlertBoot.We’ve all heard the stories regarding identity theft, and the importance of keeping Social Security Numbers safe.Then there are those unique stories that cause one’s jaws to slacken.Those unique, imaginative capers that remind me again and again why protecting data is no laughing matter.

For example, SSNs could be used to build up your wealth two cents at a time.Wired.com is reporting that a man in California, Michael Largen, did exactly that by using a common procedure used by brokerages and other companies to verify accounts.

Brokerages will often test the validity of a brokerage‑account to checking‑account link by depositing a small amount of money, usually measured in cents, into your checking account (this is usually known as an ACH setup).These small monies are known as micro‑deposits, and as far as I know, it’s free money.I know I’ve never been asked for two‑seven cents back by my brokerage account.

What Largen allegedly has done is create scripts programmed to open tens of thousands of online brokerage accounts.There is no need to deposit any money after opening a brokerage account—I mean, usually there is a minimum balance not to be charged brokerage fees and whatnot; but if you don’t deposit the money, what can the brokerages do? I guess they could file a lawsuit to recover two cents.Meanwhile, you can do whatever you want with that micro‑deposit.

Based on Wired’s story, it sounds like Largen wouldn’t have been caught had it not been for a clause in the Patriot Act that requires financial firms to verify the identity of their customers.Schwab.com, one of the companies affected by Largen’s shenanigans, found that over 5000 accounts were opened with fake information.Ultimately, Largen was able to accumulate over $50,000 from various companies using the above method, according to the affidavit filed by a Secret Service agent in charge of the investigation.

My question is, if the accounts were not set up under fake names and SSNs, would Largen have been found out?I mean, the guy was using the names of cartoon characters and made‑up SSNs, so no doubt these must have raised red flags for the auditors.But if Largen had used real names and their corresponding SSNs, would the brokerages have caught on?My guess is that the answer is yes…eventually—5000 recently opened, inactive accounts would be the first whiff of something being wrong.

However, I imagine that the use of invalid SSNs helped to alert the Schwab account auditors that something may be awry much sooner, leading to Largen’s successful arrest. New, inactive accounts may be problematic, but new accounts with fake data are even more problematic.If Largen had used stolen IDs, he may have been able to gain some time and pull off the scam.

Networkworld.com has a small slideshow of the top ten worst data breaches of all time when it comes to unencrypted data.Of course, these are only known instances, as networkworld.com points out.They also point out that the data breaches could have been prevented if the laptops in question had been secured with hard drive encryption, a service that is provided by AlertBoot, among others.

The number of affected people by each breach range from the 228,000 to 28.6 million, although the latter figure is way off the mean, with most breaches relegated to less than 500,000 affected per instance.Of course, that’s still a huge number.Why carry around such sensitive information?Why store all that sensitive data in a laptop?

Carrying that amount of data on an everyday basis is just plain crazy.I mean, forget a laptop is involved.If someone told me that he had in his briefcase—right now, at this instance—500,000 names and SSNs printed out on letter‑sized sheets, and that this was true everyday (and he wasn’t in the data transportation business), I’d think he was crazy for carrying that around.Or, at least I’d check to make sure he had handcuffed himself to the briefcase before asking, “But why?”

(If you pulled out your calculator to see if this is possible, my estimates show that all 500,000 names would fit in two briefcases, assuming four column sets of thirty names and SSNs per page; that each page can accommodate thirty rows of names; that names are printed on both sides of each page; that a stack of 500 pages will fit in a briefcase; and that two stacks will fit side by side…so, it’s not inconceivable, especially since none of the assumptions are a stretch, either.Well, except for the guy carrying this day in, day out.)

Clearly, in the pre‑digital era, people didn’t carry all that information around just because they can.So why do so now?

Well, that’s the thing—they weren’t all being carried around.Of the 10 cases listed, 6 cases cover an instance where the laptop was lost while in transit.And, the higher the count of affected customers, the higher the chances the laptop was stolen during a break‑in into a building, be it a home or the office.

I’m not sure if these ten cases are enough to derive any conclusions, but it seems to me that the form factor is not the issue. Or rather, the form factor is not the determining factor—chances are that something small will be stolen over something big, assuming they each have the same value; it’s just common sense.But in the four cases where a break‑in was involved (which is also the instances where the number of people affected was much higher), a thief could have easily stolen a desktop computer if a laptop had not been available.I mean, you don’t break in to a building, find there’s no laptops available, and just split.You have to take something; otherwise, what’s the point?I’d imagine that in those four instances, any computers would have been stolen, which is why I tend to advocate full disk encryption for all computers, not just laptops.

Laptop computers imply mobility.But the truth is that more and more companies are opting to buy laptop computers over desktops even when the computer is not expected to be taken home or anywhere else, for that matter.A laptop tends to suck less electricity; is quieter; can be easily moved off the desk if you need the desk space (or just move it around the office—meetings and repairs and such).For the average office user, there’s no pragmatic reason to opt for a desktop over a laptop computer.

So why store data in a laptop?My guess is that the response will be, going forward, “where else are you going to store it?”

The loss of a backup tape from the Bank of New York Mellon is making the rounds on the internet.According to a press release by the Connecticut AG’s office, the backup tape was lost by the storage company that was in charge of keeping the tapes safe, Archive Systems, Inc., not by the bank itself.It’s one of those instances when one hopes that full disk encryption was applied to the tape.

But the data on the tape was not encrypted, and this may mean that hundreds of thousands of CT residents—and possibly millions more in other states—could be affected by this loss.What’s surprising to me about this press release, though, is not the scope and size of the data breach; we’ve certainly had bigger and broader before.Rather, it’s the sense of urgency and risk that is conveyed by the AG.From the press release quoting CT Attorney General Richard Blumenthal (http://www.ct.gov/ag/cwp/view.asp?Q=416000&A=2795):

I am alarmed and deeply concerned by a recent and serious data breach at The Bank of New York Mellon ('BNY') involving the loss of computer backup tapes containing sensitive information of some 4.5 million consumers… This security breach seems highly dangerous, indeed possibly devastating in light of the identity theft threat.

It only seems like yesterday that the loss of backup tapes would be poo‑pooed as a non‑issue, since “special equipment” and “highly specialized knowledge” and “special software” would have been required to access the data.Granted, it was the people who lost the tapes issuing such press releases, so it was to be expected.But it was for naught, since in most cases the “words of comfort” seemed to ring hollow, at least to me.

Oh, there were cases where the words rang true, like when certain government branches had custom‑built systems which included both proprietary hardware and software.But even then, the tapes were probably off‑the‑shelf products, which implies commercially‑available hardware would take those tapes as well.So, one had to rely on the obscurity of the software to mask (and thus, protect) the data.But even then, if the software saves the data as plain text files, there is no guarantee of an information breach, as I’m fond of pointing out.

I guess one way to interpret the AG’s comments above is that people have gotten wise to the fact that only encryption solutions like AlertBoot can offer real data security in the event of data loss.It’s not surprising, though, that one would arrive to this conclusion.If the past year has shown me anything, it’s that criminals can pretty much overcome any obstacle except encryption.

Joe Sill bought fifty computers from a government auction.His intent, according to koco.com, was to refurbish and resell them.Instead, he’s had to put a hold on those plans because he found over 5000 Social Security numbers in the computers’ hard drives.If only those drives had full disk encryption on them; then, Sill would have just installed a new OS and be done with it.

The Oklahoma Corporation Commission, the source of the computers, is not to blame for the data breach, though (or, perhaps, they deserver partial blame).It turns out that they don’t usually handle sensitive information, so they left the hard drives behind in the computers for the auction.So where did the SSNs come from?Apparently, the computers were used by the Oklahoma Tax Commission before being transferred to the Corporation Commission.They may both be government entities but, just like the IRS shouldn’t have access to top secret information from the CIA, the Tax Commission should have ensured that those SSNs and any other sensitive information were wiped before handing the computers over to the Corporation Commission.

People have commented in various sites carrying the above news that this is not acceptable, and that it takes just a little time and the right software to ensure this doesn’t happen.What they mean is that data overwrites can prevent sensitive information like SSNs from leaking.An overwrite is much more secure than deletion because “deletion” doesn’t really delete data—it just marks that particular data space as available for new data and “hides” the icons from appearing on your desktop.Since the icons are now hidden, the user can’t access the data anymore.But this doesn’t mean that the data is actually gone.

Let me illustrate this point: if someone were to break in into a library; rip off the books’ titles off the spine for each book; and place them back in the shelves…the contents of those books are not gone, although you’d have a heck of a time trying to find “Tom Sawyer.”Deleting data in a computer is similar in nature.The data’s still there; you just can’t find it easily—unless you have the right software (which is also pretty cheap, considering).The only way to get rid of data is to write over it with some other data—preferably random gibberish.There’s software for that, too.

However, these commenters (commentors? commentators?) are wrong in one aspect.It takes more than a little time.Because each bit on the hard disk has to be written over—multiple times, if one wants enhanced security—the bigger the drive’s capacity, the longer it takes.Plus, computers need electricity to run, so one is severely limited on how many computers’ disks can be overwritten in parallel (unless you work in one of those offices with unlimited numbers of electrical sockets.I hear they don’t exist).

There are other ways of protecting data, though.One option that the Corporation Commission has resorted to is not including the hard drives for decommissioned computers to be auctioned off.There is, however, the problem of eventually disposing of the drives themselves—crushed, melted, data overwrites, or even encrypted.

Yep, full disk encryption solutions like AlertBoot would also be adequate for the disposal of hard drives.When it comes do the disposal of drives, the one advantage of disk encryption over data overwrites is that you’d have to do it just once, as opposed to the three or more overwrites per disk that is recommended among certain circles.Of course, if you have disk encryption at the very beginning, when you start using the computer, you get even more benefits, like bulletproof data protection if the computer is ever lost or stolen.